OIDC users are synchronized by username instead of identifier

Vote:
 

Hello everyone,

We are using OIDC to authenticate users and noticed that the users are synchronized to the database based on their username by the ISynchronizingUserService. By default the username comes from the ClaimTypes.Name claim, which in our case can change for a user because it is simply made up of the first name and last name. When this happens a new SynchronizedUser record is created in the database and that causes issues with some functionality in the CMS. For example you will see the old username in the 'Last published by' label and versioning gadget.

The NameIdentifier claim contains a code/id that is unique to the user and will never change (it is also used by the user as their username when logging in). We can use that as the username by setting the NameClaimType to be ClaimTypes.NameIdentifier, as you can see here: 

TokenValidationParameters = new TokenValidationParameters
{
    NameClaimType = ClaimTypes.NameIdentifier
}

The problem with this approach is that the username is displayed throughout the CMS. It therefore becomes hard to identify which user published content changes. Is it possible to create a custom implementation of sorts to display first and last name instead of username within the CMS? 

Example:

Ideally the user synchronization would support using an identifier instead of the username. Also I believe some IDPs return the email address in the name claim, which I assume would result in the email being displayed in the CMS, but I could be wrong about this though.

Any thoughts?

#279449
Edited, Apr 29, 2022 4:38
Vote:
 

This issue is a bit bigger than just synchronization of users. Ideally, the UI should display the full name of the user instead of just the username. Then you could use NameIdentifier as Name, if Name is not immutable in your identity provider. Can't find it now, but I'm pretty sure that idea is already reported here https://feedback.optimizely.com/ideas.

#279454
Apr 29, 2022 9:54
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.